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(54) System and method for supporting distributed computing mechanisms in a local area 
network server environment 



(57) LAN server machines are configured to utilize 
their existing mechanisms to pass generic security sub- 
system (GSS), distributed computing environment 
(DCE) credentials. The server management block 
(SMB) protocol is extended to facilitate exchange of 
such credentials wherein the server utilizes the GSS API 
interface to obtain and validate such credentials. The 
GSS interface provides tokens which encapsulate all 
necessary information to perform mutual authentication 
between the client and server. 



A new protocol level is defined with respect to such 
SMB protocol extensions which includes a new protocol 
name exchanged in the negotiate protocol (NP) SMB. 
Pre-existing LAN servers will turn on a bit in the 
SMB_Secmode field in the NP response indicating that 
the server supports exchange of secpkgX SMB. The 
server will then wait for an SMB secpkgX or SMB sess- 
setupX response. The former response will permit the 
user/client and server to exchange GSS tokens utilizing 
a conventional LAN server mechanism and to thereby 
and mutually authenticate. 
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(54) Centralized cetificate management system for two-way interactive communication devices 
in data networks 



(57) The present invention discloses a method for 
managing centralized certificates in a proxy server de- 
vice (114) for a plurality of thin client devices (302, 304, 
306) coupled thereto through a data network (102). A 
user account database, accessible by the proxy server, 
comprises a plurality of user accounts with each of the 
thin client devices being associated with one or more of 
the user accounts. Each of the user accounts comprises 
a device ID (316), a list of public and private keys (326) 
assigned to the user account, and a list of certificates 
(320) assigned to the user account. A certificate man- 



agement module reserves a fixed number of free certif- 
icates signed by a Certificate Authority and their respec- 
tive private keys in a certificate database (328) and fre- 
quently updates the free certificate according to a cer- 
tificate updating message. Whenever a user account is 
created for a thin client device, the certificate manage- 
ment module fetches one or more free certificates from 
the certificate database and associates the fetched cer- 
tificate^) to the created account and at the same time 
creates new free certificates with the Certificate Author- 
ity to fill in the certificate database. 
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(54) Title: METHOD AND APPARATUS FOR COMPLIANCE CHECKING IN A TRUST-MANAGEMENT SYSTEM 
(57) Abstract 



A method and apparatus are provided 
for compliance checking in a trust-management 
system. A request r, a policy assertion (/6, 
POLICY), and n-1 credential assertions (/i, ji), 
Orni, Sn-\) are received, each credential 
assertion comprising a credential function fi and 
a credential source s\. Each assertion may be 
monotonic, authentic, and locally bounded. An 
acceptance record set S is initialized to {(A, 
A, /?)), where A represents a distinguished null 
string, and R represents the request r. Each 
assertion (fi, s\) y where i represents the integers 
from n-1 to 0, is run and the result is added 
to the acceptance record set S, This is repeated 
mn times, where m represents a number greater 
than 1, and an acceptance is output if any of the 
results in the acceptance record set S comprise 
an acceptance record (0, POLICY, /?). 
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(57) Abstract: The basic concept is that before a 
resource is accessed, the entity that has the burden of 
gathering the credentials, pro-actively refreshes the 

202 credentials and keeps them current. In one instance, a 
presenter of credentials, for example, a client pro-ac- 
tively refreshes the credentials such that at the time of 

204 presentation, the credentials meet the resource-specific 
constraints of a recipient of credentials, for example, 
a resource server. For each resource that it protects, a 
resource server typically establishes various constraints 
such as a recency requirement, which specifies how 
recently a credential has to have been issued to be 
accepted as an adequate credential. Other constraints 
may include maximum certificate chain length, trust 
level and so forth. In another instance, a recipient of 
credentials pro-actively gathers and refreshes credentials 
to prevent un-authorized access to the various resources 
it is protecting. 
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